SID 2563

Msg

"NETBIOS NS lookup response name overflow attempt"

Summary

This event is generated when an attempt is made to exploit a vulnerability associated with the Symantec Firewall.

Classtype

attempted-admin

Impact

A successful attack may cause a heap overflow, permitting the execution of arbitrary code on the vulnerable host.

Detailed Information

There is a vulnerability in the way the Symantec Firewall handles NetBIOS Name Service response packets. If an attacker crafts a malicious UDP NetBIOS Name Service unsolicited response to a vulnerable Symantec Firewall that does not block port 137, it is possible to cause a heap overflow and execute abitrary code with kernel privileges. The vulnerability exists because of improper validation of the existence of required fields for the NetBIOS name returned. The default configuration does not allow UDP port 137 traffic and should not be exploitable if UDP port 137 is blocked.

Affected Systems

  • Symantec Norton Internet Security and Professional 2002,2003,2004
  • Symantec Norton Personal Firewall 2002,2003,2004
  • Symantec Norton AntiSpam 2004
  • Symantec Client Firewall 5.01, 5.1.1
  • Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1)

Attack Scenarios

An attacker can craft a malicious UDP NetBIOS Name Service response,

possibly causing a heap overflow and the subsequent execution of arbitrary code with kernel privileges on an exploitable host.

Ease Of Attack

Simple.

False Positives

None known.

False Negatives

None known.

Corrective Action

Upgrade to the latest non-affected version of the software.

Contributors

  • Sourcefire Vulnerability Research Team
  • Judy Novak